Over the past 24 hours, cybercriminals launched two consecutive massive email campaigns, impersonating Intui Payroll’s Direct Deposit Service system, in an attempt to trick end and corporate users into clicking on the malicious links found in the mails.

Upon clicking on any of links found in the emails, users are exposed to the client-side exploits served by the latest version of the Black Hole exploit kit.

More details:

Sample screenshot of the first spamvertised campaign:

Upon clicking on the links found in the malicious emails, users are exposed to the following bogus “Page loading…” screen:

Both of these malicious domains use to respond to 183.81.133.121; 195.198.124.60; 203.91.113.6. More malicious domains part of the campaign’s infrastructure are known to have responded to the same IPs, for instance, buzziskin.net; addsmozy.net; buycelluleans.com; indice-acores.net. The campaign used to rely on the following name servers: ns1.zikula-support.com; ns2.zikula-support.com

[…] used in a previously profiled malicious campaign impersonating Intuit – “‘Intuit Payroll Confirmation inquiry’ themed emails lead to the Black Hole exploit kit“, where the client-side exploit-serving URL (art-london.net) was also registered with the […]